Securing your network is super important these days, and one cool way to do it is by setting up an L2TP IPSec VPN on your MikroTik router using certificates. Trust me, it's not as scary as it sounds! I'm gonna walk you through the whole process step by step. We'll cover everything from why you should even bother with this setup to actually getting it up and running. So, let's dive in!

Why Use L2TP IPSec with Certificates?

Okay, so before we get our hands dirty, let's chat about why you'd even want to use L2TP IPSec with certificates. There are a few good reasons, guys:

• Enhanced Security: Using certificates adds an extra layer of security compared to just using a pre-shared key. Certificates are harder to crack, making your VPN more secure.
• No More Sharing Secrets: With pre-shared keys, you have to, well, share the secret key. Certificates eliminate the need to share a key, which reduces the risk of someone snagging it.
• Scalability: If you've got a bunch of users, managing certificates is way easier than managing a bunch of pre-shared keys. Trust me, you'll thank me later.
• Authentication: Certificates provide a solid way to authenticate users and devices. You can be sure that only the right people are getting onto your network.

Think of it like this: Imagine you're trying to get into a super exclusive club. With a pre-shared key, it's like everyone has the same password. But with certificates, it's like everyone has their own unique ID card that's really hard to fake. Which club would you rather be a member of?

Prerequisites

Before we jump into the configuration, let's make sure we've got everything we need. Here’s what you should have:

• A MikroTik Router: Obviously, you'll need a MikroTik router. Make sure it's running RouterOS.
• RouterOS: Ensure your RouterOS is up to date. Newer versions often have security improvements and bug fixes.
• Basic Networking Knowledge: A little understanding of networking concepts like IP addresses, subnets, and VPNs will be helpful.
• Certificate Authority (CA): You'll need a way to issue certificates. You can use your own internal CA or a public one. For this guide, we'll assume you're using your own CA. I will provide a guide on how to set up an internal CA using OpenSSL.

Step-by-Step Configuration

Alright, let's get down to business! I'm going to break this down into manageable steps so it's easy to follow. Remember to take your time and double-check everything.

Step 1: Create a Certificate Authority (CA)

If you don't already have one, you'll need to create a Certificate Authority (CA). This is what will issue the certificates for your VPN server and clients. Here’s how you can do it using OpenSSL (if you're on Windows, you might need to install OpenSSL first):

1. Generate CA Key: Open your terminal or command prompt and run:

   openssl genrsa -out ca.key 2048
   

2. Create CA Certificate: Now, create the CA certificate:

   openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
   

   You'll be prompted to enter some information. Fill it out as accurately as possible. This info will be embedded in the certificate.

Step 2: Create a Server Certificate

Next, we'll create a certificate for the L2TP server on your MikroTik router.

1. Generate Server Key: Create a private key for the server:

   openssl genrsa -out server.key 2048
   

2. Create a Certificate Signing Request (CSR): Generate a CSR for the server:

   openssl req -new -key server.key -sha256 -out server.csr
   

   Again, you'll be prompted for information. Make sure the Common Name (CN) matches the public IP address or domain name of your MikroTik router. This is crucial!
3. Sign the Server Certificate: Use your CA to sign the server's CSR:

   openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256
   

Step 3: Import Certificates into MikroTik

Now, we need to get those certificates onto your MikroTik router.

1. Upload Certificates: Use WinBox or the command line to upload the ca.crt and server.crt files to your MikroTik router. You can use the /file upload command in the MikroTik terminal.
2. Import CA Certificate: In WinBox, go to System -> Certificates and click the plus sign (+). Choose Import and select the ca.crt file. Make sure trust is checked.
3. Import Server Certificate: Repeat the process for the server.crt file. This time, you'll also need to enter the password you used when creating the server key.

Step 4: Configure L2TP Server

Now, let's configure the L2TP server on your MikroTik.

1. Create an IP Pool: Go to IP -> Pool and create a new IP pool for the VPN clients. This will be the range of IP addresses assigned to clients when they connect.
2. Create a L2TP Server: Go to PPP -> L2TP Server and enable it. Configure the following:
   • Enabled: Check this box to enable the L2TP server.
   • Default Profile: Set this to a new profile (we'll create that in the next step).
   • Authentication: Only enable MSCHAP2.
   • IPsec Secret: Remove the pre-shared key here, since we're using certificates.
3. Create a PPP Profile: Go to PPP -> Profiles and create a new profile. Configure the following:
   • Name: Give it a descriptive name, like L2TP-Profile.
   • Local Address: Set this to an IP address on your MikroTik router that will be the gateway for the VPN clients.
   • Remote Address: Select the IP pool you created earlier.
   • DNS Servers: Set this to your preferred DNS servers (e.g., 8.8.8.8 and 8.8.4.4).

Step 5: Configure IPsec

Now, let's set up IPsec to secure the L2TP connection.

1. Enable IPsec: Go to IP -> IPsec -> Settings and enable IPsec. You can leave most of the settings at their defaults.
2. Create an IPsec Proposal: Go to IP -> IPsec -> Proposals and create a new proposal. Choose encryption algorithms that are strong but also supported by your client devices (e.g., aes256-sha256, aes128-sha1).
3. Create an IPsec Peer: Go to IP -> IPsec -> Peers and create a new peer. Configure the following:
   • Address: Set this to 0.0.0.0/0 to allow connections from any IP address (you can restrict this later if needed).
   • Profile: Select the IPsec proposal you created earlier.
   • Exchange Mode: Set this to ike2. (IKE1 can have some security issues.)
   • Certificate: Select the server certificate you imported earlier.
   • Verify Certificate: Check this box to ensure that the client presents a valid certificate.
   • Send Initial Contact: Yes.

Step 6: Create Firewall Rules

We need to create some firewall rules to allow the VPN traffic to pass through.

1. Allow L2TP Traffic: Go to IP -> Firewall -> Filter Rules and create a new rule with the following settings:
   • Chain: input
   • Protocol: udp
   • Dst. Port: 500,4500
   • Action: accept
2. Allow IPsec ESP Traffic: Create another rule with the following settings:
   • Chain: input
   • Protocol: ipsec-esp
   • Action: accept
3. Allow NAT Masquerade: Go to IP -> Firewall -> NAT and create a new rule with the following settings:
   • Chain: srcnat
   • Out. Interface List: Select your WAN interface.
   • Action: masquerade

Step 7: Configure Client Device

Finally, you'll need to configure your client device (e.g., Windows, macOS, iOS, Android) to connect to the L2TP IPSec VPN.

1. Import CA Certificate: Import the ca.crt file into your client device's certificate store. This is usually done through the operating system's settings.
2. Create a VPN Connection: Create a new VPN connection on your client device with the following settings:
   • Type: L2TP/IPsec with certificate
   • Server Address: Enter the public IP address or domain name of your MikroTik router.
   • Certificate: Select the client certificate you created and installed.
   • IPsec Settings: Configure IPsec to use certificate authentication and select the appropriate certificate.
   • Username and Password: These will be used for the PPP authentication. Ensure the user exists on the MikroTik.

Troubleshooting

Sometimes things don't go as planned. Here are a few common issues and how to fix them:

• Cannot Connect: Check the firewall rules to make sure they're allowing the necessary traffic. Also, double-check the IPsec settings and make sure the certificates are valid.
• Certificate Errors: Make sure the CA certificate is properly installed on the client device and that the server certificate is valid.
• IP Address Conflicts: Ensure that the IP pool you created for the VPN clients doesn't overlap with any other IP ranges on your network.
• MTU Issues: If you're experiencing slow speeds or connection drops, try adjusting the MTU (Maximum Transmission Unit) size on the client device and the MikroTik router.

Final Thoughts

Setting up L2TP IPSec with certificates on MikroTik might seem a bit complicated at first, but once you get the hang of it, it's a really powerful way to secure your network. Just remember to take your time, follow the steps carefully, and don't be afraid to troubleshoot. You got this!

By following this guide, you'll have a secure and reliable VPN that you can use to access your network from anywhere in the world. Stay safe out there, guys!

If you liked this guide, be sure to share it with your friends and colleagues. Happy networking!